Yesterday's worm rampage that left many a Tumblr site "defaced" with a message by Internet troll group GNAA was the result of improper input sanitation.

"It appears that the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages," explained Sophos' Graham Cluley.

Those who weren't logged in would be redirected to the standard login page. Once logged in, the offending post would the continued to do its thing and reblog the post on their Tumblr.

"It shouldn't have been possible for someone to post such malicious JavaScript into a Tumblr post - our assumption is that the attackers managed to skirt around Tumblr's defences by disguising their code through Base 64 encoding and embedding it in a data URI," concluded Cluley.

In the meantime, Tumblr has disabled posting for a couple of hours and proceeded to clear the affected accounts. According to a Twitter post by the company, the issue has been resolved.

Security researcher Janne Ahlberg saw the tweet but decided to check for himself whether the root-cause - the XSS vulnerability - was resolved as well, since Tumblr is not exactly famous for fixing issued quickly.

"I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid," he pointed out.

Spotlight

35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right. This illustrates the growing importance for organizations to deploy data loss prevention strategies.

Sun Tzu's writings have been studied throughout the ages by professional militaries and can used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

There is still way too much apathy when it comes to data-centric security. Given the sensitive data the OPM was tasked with protecting, it should have had state-of-the-art data protection, but instead it has become the poster child for IT security neglect.